Transcription
SUBSCRIPTION SERVICE GUIDESUBSCRIPTION SERVICE GUIDE1.SUPPORTServiceNow will provide support for the Subscription Service as set forth in the Customer Support Policy attachedto this Subscription Service Guide as Exhibit A.2 and incorporated herein by reference. The Customer SupportPolicy may be updated periodically.2.UPGRADES AND UPDATESServiceNow will provide upgrades and updates to the Subscription Service as described in Exhibit A.3 Upgradesand Updates attached to this Subscription Service Guide and incorporated herein by reference. The Upgrade andUpdate exhibit may be updated periodically.3.DATA PROCESSING ADDENDUMThe parties’ agreement with respect to the processing of personal information submitted to the Subscription Serviceis described in the Data Processing Addendum attached to this Subscription Service Guide as Exhibit A.4 andincorporated herein by reference. The Data Processing Addendum may be updated periodically.4.DATA SECURITY GUIDEServiceNow will implement and maintain security procedures and practices appropriate to information technologyservice providers designed to protect Customer Data from unauthorized access, destruction, use, modification, ordisclosure, as described in the Data Security Guide attached to this Subscription Service Guide as Exhibit A.5 andincorporated herein by reference. The Data Security Guide may be updated periodically.5.INSURANCEServiceNow agrees to maintain in effect during the Subscription Term, at ServiceNow’s expense, the followingminimum insurance coverage:5.1Workers’ Compensation Insurance, in accordance with applicable statutory, federal, and other legalrequirements;5.2Employers’ Liability Insurance covering ServiceNow’s employees in an amount of not less than 1,000,000 for bodily injury by accident and 1,000,000 each employee for bodily injury by disease;5.3Commercial General Liability Insurance written on an occurrence form and including coverage forbodily injury, property damage, products and completed operations, personal injury, and advertising injury arisingout of the products or services provided by ServiceNow under this Agreement, with minimum limits of 1,000,000per occurrence/ 2,000,000 aggregate;5.4Commercial Automobile Liability Insurance providing coverage for hired and non-owned automobilesused in connection with this Agreement in an amount of not less than 1,000,000 per accident, combined singlelimit for bodily injury and property damage;5.5Combined Technology Errors’ & Omissions Policy with a 5,000,000 per claim limit, including:(a) Professional Liability Insurance providing coverage for the services and software in this Agreement (whichcoverage will be maintained for at least two years after termination of this Agreement); and (b) Privacy, Security,and Media Liability Insurance providing liability coverage for unauthorized access or disclosure, security breaches,and system attacks, as well as infringements of copyright and trademark that might result from this Agreement; and5.6Excess Liability over Employers’ Liability, Commercial General Liability, and Commercial AutomobileLiability, with a 5,000,000 aggregate limit.For the purpose of this Section 5, a “claim” means a written demand for money or a civil proceeding which iscommenced by service of a complaint or similar pleading.SERVICENOW CONFIDENTIALPage 1 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDE6.AVAILABILITY SERVICE LEVEL6.1DEFINITIONS.6.1.1. “Available” means that the Subscription Service can be accessed by authorized users.6.1.2. “Excused Downtime” means: (a) Maintenance Time of up to two hours per month; and (b) anytime the Subscription Service is not Available due to circumstances beyond ServiceNow’s control, includingmodifications of the Subscription Service by any person other than ServiceNow or a person acting at ServiceNow’sdirection, a Force Majeure Event, general Internet outages, failure of Customer’s infrastructure or connectivity(including direct connectivity and virtual private network (“VPN”) connectivity to the Subscription Service), computerand telecommunications failures and delays, and network intrusions or denial-of-service or other criminal attacks.6.1.3. “Infrastructure Modification” means any repairs, maintenance, improvements, or changes tothe cloud infrastructure used by ServiceNow to operate and deliver the Subscription Service.6.1.4. “Maintenance Time” means the time the Subscription Service is not Available due to anInfrastructure Modification, Upgrade, and Update.6.1.5. “Availability SLA” means that the production instances of the Subscription Service will beAvailable at least 99.8% of the time during a calendar month, excluding Excused Downtime.6.2AVAILABILITY. If Customer’s production instances of the Subscription Service fall below theAvailability SLA during a calendar month, Customer’s exclusive remedy for failure of the Subscription Service tomeet the Availability SLA is to request that either: (a) the affected Subscription Term be extended for the numberof minutes the Subscription Service was not Available in the month in accordance with the Availability SLA; or(b) ServiceNow issue a service credit to Customer for the dollar value of the number of minutes the SubscriptionService was not Available in the month in accordance with the Availability SLA (determined at the deemed perminute rate ServiceNow charges to Customer for Customer’s use of the affected Subscription Service), whichCustomer may request ServiceNow apply to the next invoice for subscription fees.6.3REQUESTS. Customer must request all service credits or extensions in writing to ServiceNow within30 days of the end of the month in which the Availability SLA was not met, identifying the support requests relatingto the period Customer’s production instances of the Subscription Service was not Available. The total amount ofservice credits for any month may not exceed the subscription fee for the affected Subscription Service for thatmonth and has no cash value. ServiceNow may delay issuing service credits until such amounts reach 1,000 USDor equivalent currency specified in the applicable Order Form.6.4NOTICE. ServiceNow will give Customer 10 days’ prior notice of an Infrastructure Modification ifServiceNow, in its reasonable judgment, believes that the Infrastructure Modification will impact Customer’s use ofits production instances of the Subscription Service, unless, in the reasonable judgment of ServiceNow, theInfrastructure Modification is necessary to: (a) maintain the availability, security, or performance of the SubscriptionService; (b) comply with Law; or (c) avoid infringement or misappropriation of third-party Intellectual PropertyRights./////////Remainder of page intentionally left blankSERVICENOW CONFIDENTIALPage 2 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDEEXHIBIT A.2 - CUSTOMER SUPPORT POLICYThis Customer Support Policy governs the support that ServiceNow will provide for its Subscription Service(“Customer Support”).1.SCOPEThe purpose of Customer Support is to resolve defects that cause a nonconformity in the Subscription Service ascompared to the Product Overview. A resolution to a defect may consist of a fix, workaround, or other relief, asServiceNow deems reasonable. Customer Support does not include performing the following services: implementation services; configuration services; integration services; customization services or other custom software development; training; or assistance with administrative functions.Customer Support is not required to provide resolutions for immaterial defects or defects due to modifications of theSubscription Service made by any person other than ServiceNow or a person acting at ServiceNow’s direction, ordefects on any instance of the Subscription Service not in conformance with Exhibit A.3 - Upgrades and Updates.2.BUSINESS HOURSCustomer Support is available 24 hours a day, 7 days a week, including all holidays.3.ACCESS CONTACTSServiceNow’s Customer Support portal (“Support Portal”) is located at https://hi.service-now.com/. Customer mayget login access to the Support Portal by contacting its ServiceNow administrator.ServiceNow’s Customer Support may be reached by phone using one of the numbers ml.4.INCIDENT PRIORITYIncident priority for a defect is determined using the guidelines below.PriorityDefinitionP1Any defect that causes an instance not to be Available.P2Any defect that causes a critical function to fail.P3Any defect that significantly impedes work or progress.P4Any defect that does not significantly impede work or progress.SERVICENOW CONFIDENTIALPage 3 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDE5.RESPONSE TIMES AND LEVEL OF EFFORTCustomer may submit an incident with ServiceNow via the Support Portal or phone. Response times are notaffected by the manner of contact. All support requests are tracked in the Support Portal and can be viewed byCustomer’s authorized contacts. ServiceNow will use reasonable efforts to meet the target response times andtarget level of effort stated in the table below.Priority6.Target Response TimesTarget Level of EffortP130 minutesContinuously, 24 hours per day, 7 days per weekP22 hoursContinuously, but not necessarily 24 hours per day, 7 days per weekP31 business dayAs appropriate during normal business hoursP4N/AVariesCUSTOMER RESPONSIBILITIESCustomer’s obligations with respect to Customer Support are as follows:6.1Customer will receive from ServiceNow communications via email, phone, or through the SupportPortal regarding the Subscription Service.6.2Customer will appoint no more than 10 contacts (“Customer Authorized Contacts”) to engageCustomer Support for questions and technical issues.6.2.1. Customer must maintain the following Customer Authorized Contacts: Primary Business Contact; Secondary Business Contact; Technical Contact; Support Contact; Primary Customer Administrator; and Security Contact.6.2.2. Customer will maintain current information for all Customer Authorized Contacts in the SupportPortal.6.2.3. Only Customer Authorized Contacts will contact Customer Support.6.2.4. Customer will train all Customer Authorized Contacts on the use and administration of theSubscription Service.6.3Customer will cooperate to enable ServiceNow to deliver the Subscription Service and CustomerSupport.6.4Customer is solely responsible for the use of the Subscription Service by its users./////////Remainder of page intentionally left blankSERVICENOW CONFIDENTIALPage 4 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDEEXHIBIT A.3 - UPGRADES AND UPDATES1.DEFINITIONS1.1“Upgrades” are ServiceNow’s releases of the Subscription Service for enhancements or new features(including a new Release Family) applied by ServiceNow to Customer’s instances of the Subscription Service at noadditional fee during the Subscription Term.1.2“Updates” are ServiceNow’s releases (including patches and hotfixes) of the Subscription Serviceapplied by ServiceNow to Customer’s instances of the Subscription Service at no additional fee during theSubscription Term that provide problem fixes, but do not generally include new functionality, and are released asneeded.1.3“Release Family” is an Upgrade that is a complete solution with new features or enhancements,including previously released Updates if applicable to the features included in the Upgrade. For example,ServiceNow’s “Geneva” Upgrade established the “Geneva Release Family”, and ServiceNow’s “Helsinki” Upgradeestablished the “Helsinki Release Family”.1.4“Critical Upgrade” is an Upgrade that in ServiceNow’s reasonable judgment is critical to maintainingthe availability, security or performance of the Subscription Service; comply with applicable laws or to avoidinfringement or misappropriation of a third-party Intellectual Property Right.1.5“Critical Update” is an Update that in ServiceNow’s reasonable judgment is critical to maintaining theavailability, security or performance of the Subscription Service; comply with applicable laws or to avoid infringementor misappropriation of a third-party Intellectual Property Right.1.6“Supported Release Family” at a particular time means the then-current Release Family and the prior2 Release Families.2.UPGRADES AND UPDATESServiceNow shall determine, in its sole discretion: (a) whether and when to develop, release and apply any Updateor Upgrade to Customer’s instances of the Subscription Service; and (b) whether a particular release is an Update,Upgrade or new service offering that is available separately for purchase.3.NOTICEServiceNow shall: (a) give Customer 30 days’ notice of any Upgrade to the Subscription Service; and (b) usereasonable efforts to give Customer 10 days’ notice of any Update to the Subscription Service. Notwithstanding theforegoing, ServiceNow may provide Customer with shorter notice or no notice before the application of a CriticalUpgrade or a Critical Update.4.SUPPORTED AND NON-SUPPORTED RELEASE FAMILIESCustomer acknowledges that the current Release Family is the version of the Subscription Service containing themost current features, availability, performance and security. Within a Supported Release Family, the most recentUpdate is the version of the Subscription Service for that Release Family that contains the most current problemfixes, availability, performance and security. A Customer using a Supported Release Family may be required toapply a Critical Update within the Supported Release Family. A Customer that has not Upgraded to a SupportedRelease Family may experience defects, for which Customer hereby agrees that ServiceNow is not responsible,including without limitation those that affect the features, availability, performance and security of the SubscriptionService, that are fixed in the most current version of the Subscription Service. A Customer who is not using aSupported Release Family may be required to apply an Upgrade to a Supported Release Family./////////Remainder of page intentionally left blankSERVICENOW CONFIDENTIALPage 5 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDEEXHIBIT A.4 - DATA PROCESSING ADDENDUMThis Data Processing Addendum (“DPA”) is deemed to include Sections 1 through 9 below, including the attachedAppendix 1, and the Data Security Guide, all of which are expressly deemed incorporated in the Agreement by thisreference.In the event of any conflict between the terms of this DPA and the terms of the Agreement with respect to the subjectmatter herein, this DPA shall control. Any data processing agreements that may already exist between parties aswell as any earlier version of the Data Security Guide to which the parties may have agreed are superseded andreplaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given tothem in other parts of the Agreement.1.DEFINITIONS1.1“Affiliates” means any person or entity directly or indirectly Controlling, Controlled by or undercommon Control with a party to the Agreement, where “Control” means the legal power to direct or cause thedirection of the general management of the company, partnership, or other legal entity.1.2“Agreement” means the Order Form or Use Authorization or other signed ordering document, asapplicable, between ServiceNow and Customer and the signed master agreement (if any) for the purchase of theSubscription Service.1.3“Data Controller” means the natural or legal person, public authority, agency, or other body which,alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes ofthis DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submitPersonal Data to the Subscription Service or whose Personal Data is Processed in the Subscription Service.1.4“Data Processor” means the natural or legal person, public authority, agency, or other body whichProcesses Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is theServiceNow entity that is a party to the Agreement.1.5“Data Protection Laws” means all applicable laws and regulations regarding the Processing ofPersonal Data and includes GDPR.1.6“Data Subject” means an identified or identifiable natural person.1.7“GDPR” means the European Union’s General Data Protection Regulation (2016/679).1.8“Instructions” means Data Controller’s documented data Processing instructions issued to DataProcessor in compliance with this DPA.1.9“Personal Data” means any information relating to a Data Subject uploaded by or for Customer orCustomer’s agents, employees, or contractors to the Subscription Service as Customer Data.1.10 “Process” or “Processing” means any operation or set of operations which is performed uponPersonal Data, whether or not by automated means, such as collection, recording, organization, structuring,storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, orotherwise making available, alignment or combination, restriction, erasure or destruction.1.11 “Professional Services” means any consulting or development services provided by or on behalf ofServiceNow pursuant to an agreed Statement of Work or Service Description described or referenced in a signedordering document.1.12 “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data byData Processor. For the avoidance of doubt, ServiceNow’s colocation datacenter facilities are not Sub-Processorsunder this DPA.1.13 “Subscription Service” means the ServiceNow software-as-a-service offering ordered by Customerunder an Order Form, Use Authorization or other signed ordering document between ServiceNow and Customer.1.14 “Subscription Term” means the term of authorized use of the Subscription Service as set forth in theOrder Form, Use Authorization, or other ordering document signed by Customer and ServiceNow.SERVICENOW CONFIDENTIALPage 6 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDE2.SCOPE OF THE PROCESSING2.1COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Dataon behalf of Data Controller to the extent necessary to provide the Subscription Service described in the Agreementand in accordance with the Instructions.2.2INSTRUCTIONS. The Agreement constitutes Data Controller’s written Instructions to Data Processorfor Processing of Personal Data. Data Controller may issue additional or alternate Instructions provided that suchInstructions are: (a) consistent with the purpose and the scope of the Agreement; and (b) confirmed in writing byData Controller. For the avoidance of doubt, Data Controller shall not use additional or alternate Instructions to alterthe scope of the Agreement. Data Controller is responsible for ensuring its Instructions to Data Processor complywith Data Protection Laws.2.3NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only ProcessPersonal Data in accordance with Data Controller’s Instructions and to the extent necessary for providing theSubscription Service and the Professional Services, each as described in the Agreement. Data Controlleracknowledges that all Personal Data it instructs Data Processor to Process for the purpose of providing theProfessional Services must be limited to the Customer Data Processed within the Subscription Service.2.4CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controllermay submit Personal Data to the Subscription Service as Customer Data, the extent of which is determined andcontrolled by Data Controller in its sole discretion and is further described in Appendix 1.3.DATA CONTROLLER3.1COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of itsobligations under Data Protection Laws when Processing Personal Data.3.2SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data ProtectionLaws and before submitting any Personal Data to the Subscription Service, Data Controller will perform anappropriate risk assessment to determine whether the security measures within the Subscription Service providean adequate level of security, taking into account the nature, scope, context and purposes of the processing, therisks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provideData Controller reasonable assistance by providing Data Controller with information requested by Data Controllerto conduct Data Controller’s security risk assessment. Data Controller is solely responsible for determining theadequacy of the security measures within the Subscription Service in relation to the Personal Data Processed. Asfurther described in Section 7.1 (Product Capabilities) of the Data Security Guide, the Subscription Service includes,without limitation, column level encryption functionality and role-based access control, which Data Controller mayuse in its sole discretion to ensure a level of security appropriate to the risk of the Personal Data. For clarity, DataController may influence the scope and the manner of Processing of its Personal Data by its own implementation,configuration (i.e., different types of encryption) and use of the Subscription Service, including any other productsor services offered by ServiceNow and third-party integrations.3.3CUSTOMER’S AFFILIATES. The obligations of Data Processor set forth herein will extend toCustomer’s Data Controller Affiliates to which Customer provides access to the Subscription Service or whosePersonal Data is Processed within the Subscription Service, subject to the following conditions:3.3.1. COMPLIANCE. Customer shall at all times be liable for its Affiliates’ compliance with this DPAand all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer; and3.3.2. CLAIMS. Customer’s Data Controller Affiliates will not bring a claim directly against DataProcessor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceedingagainst Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller AffiliateClaim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Lawsrequire that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data ControllerAffiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitationof liability set forth in the Agreement.SERVICENOW CONFIDENTIALPage 7 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDE3.3.3. DATA CONTROLLER AFFILIATE ORDERING. If a Data Controller Affiliate purchased aseparate instance of the Subscription Service under the terms of the signed master agreement between ServiceNowand Customer, then such Data Controller Affiliate will be deemed a party to this DPA and shall be treated asCustomer under the terms of this DPA.3.4COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, andcommunication, including Instructions issued or required under this DPA (collectively, “Communication”), must bein writing and between Customer and ServiceNow only and Customer shall inform the applicable Data ControllerAffiliate of any Communication from ServiceNow pursuant to this DPA. Customer shall be solely responsible forensuring that any Communications (including Instructions) it provides to ServiceNow relating to Personal Data forwhich a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions.4.DATA PROCESSOR4.1DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm ordamages resulting from Data Processor’s compliance with Instructions received from Data Controller. Where DataProcessor believes that compliance with Data Controller’s Instructions could result in a violation of Data ProtectionLaws or is not in the ordinary course of Data Processor’s obligations in operating the Subscription Service ordelivering Professional Services, Data Processor shall promptly notify Data Controller thereof. Data Controlleracknowledges that Data Processor is reliant on Data Controller’s representations regarding the extent to whichData Controller is entitled to Process Personal Data.4.2DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited topersonnel who require such access to perform Data Processor’s obligations under the Agreement and who arebound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forthherein and in the Agreement.4.3DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessmentobligations under Section 3.2 (Security Risk Assessment) above, Data Processor shall maintain appropriatetechnical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data,including any Personal Data contained therein, as described in Section 2 (Physical, Technical, and AdministrativeSecurity Measures) of the Data Security Guide. Such measures are designed to protect Customer Data from loss,alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction, and include:4.3.1. SERVICE ACCESS CONTROL. The Subscription Service provides user and role-based accesscontrols. Data Controller is responsible for configuring such access controls within its instance.4.3.2. LOGGING AND MONITORING. The production infrastructure log activities are centrallycollected and are secured in an effort to prevent tampering and are monitored for anomalies by a trainedsecurity team.4.3.3. DATA SEPARATION. Customer Data shall be maintained within a logical single-tenantarchitecture on multi-tenant cloud infrastructure that is logically and physically separate from ServiceNow’scorporate infrastructure.4.3.4. SERVICE CONTINUITY. The production database servers are replicated in near real time to amirrored data center in a different geographic region.4.3.5. TESTING. Data Processor regularly tests, assess and evaluates the effectiveness of itsinformation security program and may periodically review and update such program to address new and evolvingsecurity technologies, changes to industry standard practices, and changing security threats.4.4DELETION OF PERSONAL DATA. Upon termination or expiration of the Agreement, Data Processorshall return and delete Customer Data, including Personal Data contained therein, as described in the Agreement.4.5DATA CENTERS. Data Processor will host Data Controller’s instances of the Subscription Service indata centers located in the geographic regions specified on the Order Form, Use Authorization, or other signedordering document between ServiceNow and Customer.SERVICENOW CONFIDENTIALPage 8 of 16 (version 20180531)
SUBSCRIPTION SERVICE GUIDE4.6DATA PROTECTION IMPACT ASSESSMENTS (DPIA). Data Processor will, on request, provideData Controller with reasonable information required to fulfill Data Controller’s obligations under GDPR to carry outdata protection impact assessments, if any, for Processing of Personal Data within the Subscription Service.4.7PRIOR CONSULTATION. Data Processor shall provide reasonable assistance (at Data Controller’sexpense) in connection with any prior consultation Data Controller is required to undertake with a supervisoryauthority under Data Protection Laws with respect to Processing of Personal Data in the Subscription Service.4.8DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuringcompliance with Data Controller’s obligations pursuant to Articles 32 to 36 of GDPR taking into account the natureof Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA,including information required to conduct Data Controller’s security risk assessment and respond to Data SubjectRequests (defined below). For clarity, Data Controller is solely responsible for carrying out its obligations underGDPR and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller.4.9DATA PROTECTION CONTACT. ServiceNow and its Sub-Processor Affiliates (defined below) willmaintain a dedicated data protection team to respond to data protection inquiries throughout the duration of thisDPA and can be contacted at privacy@servicenow.com.5.REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES5.1REQUESTS FROM DATA SUBJECTS. During the Subscription Term, Data Processor shall provideData Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port suchPersonal Data, within the Subscription Service, as may be required under Data Protection Laws (collectively, “DataSubject Requests”).5.2RESPONSES. Data Controller will be solely responsible for responding to any Data Subject Requests,provided that Data Processor shall reasonably cooperate with the Data Controller to respond to Data SubjectRequests to the extent Data Controller is unable to fulfill such Data Subject Requests using the functionality in theSubscription Service. Data Processor will instruct the Data Subject to contact the Customer in the event DataProcessor receives a Data Subject Request directly.5.3REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry, or investigation by agovernment body, data protection authority, or law enforcement agency regarding the Processing of Personal Data,Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Data Controller shall keeprecords of the Personal Data Processed by Data Processor and shall cooperate and provide all necessaryinformation to Data Processor in the event Data Processor is required to produce such information to a dataprotection authority.5.4COOPERATION WITH SUPERVISORY AUTHORITIES. In accordance with Data
SUBSCRIPTION SERVICE GUIDE SERVICENOW CONFIDENTIAL Page 5 of 16 (version 20180531) EXHIBIT A.3 - UPGRADES AND UPDATES 1. DEFINITIONS 1.1 "Upgrades" are ServiceNow's releases of the Subscription Service for enhancements or new features (including a new Release Family) applied by ServiceNow to Customer's instances of the Subscription Service at no
